What is Business Continuity Management (BCM)?
BCM is a form of risk management that deals with the threat of business activities or processes being interrupted by external and/or internal factors. It involves making arrangements to ensure you can respond as effectively as possible in the event of a disruption so mission-critical functions will continue to provide an acceptable level of service.
Effective business continuity can be best attained through the implementation of a business continuity management system (BCMS) aligned to its international standard, ISO 22301.
Find out more about ISO 22301 >>
What is the purpose of BCM?
BCM involves being prepared for disruption by identifying potential threats to your organization early and analyzing how day-to-day operations may be affected.
Effective BCM ensures the organization can provide a minimum acceptable service in spite of a disaster, and helps preserve corporate reputation and ultimately revenue. It may also improve insurance rates and provide new contract opportunities.
The current cyber threat landscape has made business leaders more aware of the risks of cyber attacks and the importance of being able to respond to and recover from such attacks. Effective BCM, based on international best-practice standards such as ISO 22301, can protect organizations from widespread business disruption in the event of a cyber attack, industrial action, natural disaster and more.
ISO 22301 – the international business continuity standard
The international standard ISO 22301:2012 provides a best-practice framework for implementing an optimized BCMS (business continuity management system), enabling you to minimize business disruption and continue operating in the event of an incident. An ISO 22301-aligned BCMS will include disaster recovery and business continuity plans to help your organization recover critical operations as quickly as possible.
How BCM can meet regulatory requirements
A growing body of legislation also requires organizations in essential areas to demonstrate a degree of organizational resilience; implementing effective business continuity measurements would be a good start.
The NIST CSF (Cybersecurity Framework)
In order to comply with the NIST CSF (Cybersecurity Framework), organizations must first consider the five core funcations of the framework, all of which can be obtained by implementing strong BCM:
- Identify potential cybersecurity risks to your information assets
- Protect yourself against these risks by developing and implementing safeguards
- Detect any irregular activity to determine if breaches have occurred
- Respond to any detected breaches to contain their impact
- Recover from these breaches by restoring any undermined assets
Learn more about NIST CSF >>
The EU's Network and Information Systems Directive 2018
Organizations offering essential services need to implement incident response capabilities in line with the requirements of the EU's Network and Information Systems Directive 2018 (NIS Regulations). Digital service providers (DSPs) within scope have the explicit requirement to put business continuity measures in place. Although not an explicit requirement for operators of essential services (OES), we strongly encourage them to consider implementing BCM measures; such measures would provide a well-defined structure for building incident response measures and effectively managing business interruptions.
Learn more about the EU's Network and Information Systems Directive 2018 >>
Free green paper: Business Continuity and ISO 22301 – Preparing for disruption
Download this paper to discover how ISO 22301 can support your implementation project, the benefits of business continuity management, and how business continuity differs from disaster recovery.
The BCM lifecycle
Effective BCM involves:
- Identifying critical activities;
- Performing a business impact analysis (BIA);
- Performing a risk assessment;
- Designing and implementing a business continuity plan (BCP);
- Testing and evaluating performance; and
- Putting a continual improvement process in place.
Find out how to write a BCM policy for your organisation >>
Business continuity planning (BCP)
Business continuity planning involves the processes and procedures for developing, testing and improving the BCP, which will enable an organisation to continue operating during a disaster and quickly return to the status quo. The BCP can be considered the ‘heart’ of a BCMS; best practice for forming the plan is set out in ISO 22301.
Disaster recovery planning
Disaster recovery planning prioritises fully recovering and returning to full functionality in the event of an incident, whereas BCM focuses on preserving an organisation’s ability to function. Having said that, there is still a clear overlap, and disaster recovery does fit within an organisation’s business continuity framework.
Disaster recovery plans are often relatively technical and focus on the recovery of specific operations, functions, sites, services or applications. The BCP might contain or refer to a number of disaster recovery plans.
Let’s get started on your BCM project
Let us share our expertise and support you on your journey to ISO 22301 compliance. Browse our range of best selling product, services and simple solutions.